diff --git a/doc/Changelog b/doc/Changelog
index 382743bc5..e5032bd6d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,9 @@
 17 October 2008: Wouter
 	- port Leopard/G5: fixup type conversion size_t/uint32.
 	  please ranlib, stop file without symbols warning.
+	- harden referral path now also validates the root after priming.
+	  It looks up the root NS authoritatively as well as the root servers
+	  and attemps to validate the entries.
 
 16 October 2008: Wouter
 	- Fixup negative TTL values appearing (reported by Attila Nagy).
diff --git a/doc/plan b/doc/plan
index dd2963a68..673ca7238 100644
--- a/doc/plan
+++ b/doc/plan
@@ -80,7 +80,7 @@ not	stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value
 * trouble counter, cache wipe threshold.
 
 + off-path validation
-* root NS, root glue validation after prime
++ root NS, root glue validation after prime
 * ignore bogus nameservers, pretend they always return a servfail.
 
 
diff --git a/iterator/iterator.c b/iterator/iterator.c
index bba487748..6f6eab752 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -668,8 +668,9 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
 			continue;
 
 		/* generate subrequest for it */
-		log_nametypeclass(VERB_ALGO, "must fetch addr", s->rk.dname, 
-			ntohs(s->rk.type), ntohs(s->rk.rrset_class));
+		log_nametypeclass(VERB_ALGO, "schedule addr fetch", 
+			s->rk.dname, ntohs(s->rk.type), 
+			ntohs(s->rk.rrset_class));
 		if(!generate_sub_request(s->rk.dname, s->rk.dname_len, 
 			ntohs(s->rk.type), ntohs(s->rk.rrset_class),
 			qstate, id, iq,
@@ -704,7 +705,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 		return;
 	}
 
-	log_nametypeclass(VERB_ALGO, "must fetch ns", 
+	log_nametypeclass(VERB_ALGO, "schedule ns fetch", 
 		iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
 	if(!generate_sub_request(iq->dp->name, iq->dp->namelen, 
 		LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
@@ -1643,6 +1644,24 @@ processPrimeResponse(struct module_qstate* qstate, int id)
 		qstate->return_msg = NULL;
 	}
 
+	/* validate the root or stub after priming (if enabled).
+	 * This is the same query as the prime query, but with validation.
+	 * Now that we are primed, the additional queries that validation
+	 * may need can be resolved, such as DLV. */
+	if(qstate->env->cfg->harden_referral_path) {
+		struct module_qstate* subq = NULL;
+		log_nametypeclass(VERB_ALGO, "schedule prime validation", 
+			qstate->qinfo.qname, qstate->qinfo.qtype,
+			qstate->qinfo.qclass);
+		if(!generate_sub_request(qstate->qinfo.qname, 
+			qstate->qinfo.qname_len, qstate->qinfo.qtype,
+			qstate->qinfo.qclass, qstate, id, iq,
+			INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+			log_err("out of memory generating prime check");
+		}
+		generate_a_aaaa_check(qstate, iq, id);
+	}
+
 	/* This event is finished. */
 	qstate->ext_state[id] = module_finished;
 	return 0;